Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1xEV-DO Security
Wireless and Wireline Security
As the Internet is used for transmission of sensitive information, it is very important to have
secure connections. This is true in case of both wireline and wireless Internet. There are a
number of security measures that have already been developed for wireline Internet that are also
applicable to wireless Internet.
First lets look at the contrast between security requirements for voice and Internet services in
general. In order to eavesdrop on a wireline voice call, one would have to access the physical
wires of PSTN. Voice traffic is rarely encrypted due to the fact the PSTN networks are relatively
secure. Although analog transmissions are easily decipherable, there are physical constraints in
place on neighborhood junction boxes and circuits. This provides a sense of security to most
consumers, who transmit sensitive information over the wireline voice network.
In a cellular voice network, again the PSTN portion of the network is considered secure from
external access. In some instances, such as government applications, the wireless portion of the
cellular voice network may be further protected with encryption. However, in contrast to analog
wireless systems, CDMA is inherently very secure, and typically CDMA voice services intended
for consumers are not encrypted.
Looking back at the wireline Internet, it is relatively easy to access and monitor other Users
traffic. Switched wireline environments allow traffic destined to all users to be easily monitored
from a Users computer, and shared environments allow all network traffic to be monitored.
This is the reason many security mechanisms have already been built into Web Browser, web
server applications (i.e., Secure Socket Layer, Transport Layer Security) and Operating system
have integrated VPNs (i.e., PPTP, L2TP, IPSEC). These security mechanisms have been
heavily scrutinized by the security experts worldwide and have proven to be robust and secure.
Because each link in the Internets distributed architecture is equally vulnerable, end-to-end
encryption is required for secure Internet connections (Diagram 1). In addition, the User is
authenticated and authorized by the Internet Service Provider (ISP).
1xEV-DO
Airlink
Wireless ISP
Internet
Server
VPN Applied
Data is Protected
1xEV-DO
Airlink
Wireless ISP
Intranet
Corp.
LAN
Internet
Firewall
Server
Diagram 1
This model can easily be extended to the wireless realm, and all the same well-tested security
mechanisms, can be used in cellular wireless Internet systems (Diagram 2). It is important to
note that once again end-to-end encryption is required. If only the airlink is encrypted, and not
the remaining paths through the Internet, then the Users traffic is still vulnerable and added
protection on the airlink has been circumvented. It is extremely important to utilize VPN
techniques that encrypt and protect the entire path.
Internet
Air-link Encryption
Remote Server
1xEV-DO
Wireless ISP
Local Server
Network or Application
Layer
End-to-End Encryption
Network or Application
Layer
Diagram 2
Following the wireline Internet model, benefits providers by allowing the use of the same welltested security mechanisms. It has been shown in the past that new security mechanisms devised
by GSM and Wireless LAN communities have not been as successful, since they have not had
the same level of testing and scrutiny as the well-established Internet security protocols.
1xEV-DO Security
1xEV-DO, the IS-856 standard, offers authentication, authorization and the capability to add
encryption mechanisms. The standard provides provisions such as protocol type and crypto-sync
to define an encryption protocol to the airlink. The provisions in the IS-856 standard that allow
encryption to be added, provide the manufacturers flexibility to encrypt all the information
transferred over the airlink or only specific channels. This is left to the implementers discretion.
The BSC
and RADIUS server derive a session key (referred to as, AirInterfaceSessionKey), then exchange
the keys. If the keys match, then the PPP and LCP negotiation is initiated. The device passes
its Username to the RAN where the RADIUS server authenticates the device. Upon a positive
authentication the BSC binds the AirInterfaceSessionKey to the IMSI and the RADIUS server
binds the NAI to the IMSI (Diagram 3). If the User is not located at their home network, the
serving carriers RADIUS server proxies with the Home Networks RADIUS server to
authenticate the device (See section: Authentication for Roaming).
good for the lifetime of each session. New keys are regenerated with every new session.
1 x E V - D O A i r lin k A u t h e n t i c a t io n
BSC
E a c h en d -p o in t
b e g in s w it h a
P r iv a t e K e y
R A D IU S
S e rv e r
R A D IU S S erver
sto r e s
P r iv a t e K e y s
E x c h a n g e P u b lic K e y
E x c h a n g e P u b lic K e y
E xchange
A ir I n t e r f a c e S e s s i o n K e y
(S h a r e d S ec ret)
E x change
A ir I n t e r f a c e S e s s i o n K e y
(S h a re d S ec ret)
P P P a n d L C P n e g o t ia t io n s
P P P a n d L C P n e g o t ia t io n s
P o s it iv e A u t h :
B S C b in d s
S e s s io n K e y t o
IM S I
C H A P n e g o t i a t io n :
NAI
d e v ic e @ w ir e le s s is p .c o m
C H A P n e g o t i a t io n :
P o s it iv e A u t h e n t ic a t io n R A D IU S b in d s N A I to IM S I
A i r li n k A u t h e n t i c a t io n C o m p l e t e
Diagram 3
Diagram
4).
After the User Authenticates on the network, information regarding the Users Authorized
Services is sent from the RADIUS server to the PDSN in the form of an Access-Accept
message. The Users services have now been authorized and they are free to use the network in
accordance with their Authorized RAN services.
PDSN
RADIUS
Server
CHAP Negotiation:
NAI and Password
Positive
Authentication
CHAP Negotiation:
NAI and Passw ord matches,
then Positive Authentication
PDSN allow s
Authorized
Services
Authorization Process:
RADIUS server forwards
the Users Authorized
Services to PDSN
Diagram 4
Wireless ISP
RADIUS Server
(Users Profile)
Internet
1xEV-DO
Wireless ISP
Roaming
Subscriber
Serving System
RADIUS Server
(Proxy Mode)
Diagram 5